Pseudonymous cybersecurity researcher Marco Croc of Kupia Security has identified a reentrant vulnerability in decentralized finance (DeFi) protocol Curve Finance. In an X thread, he explained how the bug could be exploited to manipulate balances and withdraw funds from liquidity pools.

Marco Croc explained that Curve Finance acknowledges potential vulnerabilities and “recognizes the severity of the vulnerability.” After a thorough investigation, Curve Finance awarded Marco Croc the maximum error award of $250,000.

According to Curve Finance, the threat was not classified as “very dangerous” and they believed that they would be able to recover the stolen funds in such a situation. However, the protocol noted that a security incident of any scale “might have created serious panic.”

Curve Finance survived a $62 million hack in July. As part of returning to normalcy, the DeFi protocol voted to compensate liquidity providers (LPs) worth $49.2 million in assets.

On-chain data confirms that 94% of token holders have approved the distribution of over $49.2 million worth of tokens to cover losses of Curve, JPEG’d (JPEG), Alchemix (ALCX), and Metronome (MET) pools.

According to Curve’s proposal, the community fund will provide Curve DAO (CRV) tokens. The final amount includes a deduction for tokens recovered since the incident.

“In total, the recovery of ETH 2,887 was calculated to be 5919.2226 ETH, the CRV to be recovered was calculated to be 34,733,171.51 CRV, and the total to be distributed was calculated to be 55,544,782.73 CRV,” the proposal states.

The attacker exploited a vulnerability in stable repositories using some versions of the Vyper programming language. The bug made Vyper versions 0.2.15, 0.2.16 and 0.3.0 vulnerable to reentrant attacks.

You can also freely share your thoughts and comments about the topic in the comment section. Additionally, don’t forget to follow us on our Telegram, YouTube, and Twitter channels for the latest news and updates.

The post Curve Finance Awarded a Security Researcher appeared first on Coin Engineer.

According to the security firm PeckShield, the DeFi yield aggregator Zunami Protocol has suffered an hack attack that will result in losses exceeding $2.1 million.

On Monday morning, PeckShield disclosed an assault involving two big transactions. PeckShield reported that the hacking of funds from Zunami Protocol occurred through the mixing service Tornado Cash.

Following PeckShield’s warning, the Protocol stated, “zStables seems to have faced an attack.”‘ However, they added that the collateral is safe and the team has started investigating.

You might like: Polygon-based Y00TS NFTs to Move to Ethereum

Zunami Protocol Price Manipulation Attack

In a tweet, the security company pointed out that the Zunami Protocol hack exploited a price manipulation issue, which could be further leveraged through donations to inaccurately calculate the price.

Xian Yu, the founder of SlowMist, said today that their firm detected the security vulnerability two months ago. This project fell victim to price manipulation attacks, suffering losses exceeding $2.1 million. Yu, also known as Cos, emphasized, “What’s crucial is our system identifying this risk two months ago and them informing us proactively.”

You can share your opinions in the comments about the topic. Also, follow us on Telegram, Twitter, and YouTube for more content like this.

The post Zunami Protocol Hit by $2.1 Million Price Manipulation Hack! appeared first on Coin Engineer.

Today, Attackers have exploited Curve Finance pools. This situation happened due to Vyper compiler had an error caused by 0.2.16, 0.2.15, and 0.3.0 versions. Furthermore, in this attack, the hackers stole 32M CRV (It is worth $24 million) from CRV/ETH pools. After this attack, Vyper posted a tweet below.

PSA: Vyper versions 0.2.15, 0.2.16 and 0.3.0 are vulnerable to malfunctioning reentrancy locks. The investigation is ongoing but any project relying on these versions should immediately reach out to us.

— Vyper (@vyperlang) July 30, 2023

Besides, If the problem still goes on, all CRV/WETH pools might be hacked according to explaining by Vyper. So, this issue can affect all WETH pools. However, Curve Finance has announced that other pools are safe. Thus, WETH pools will not have issues because of CRV issues.

"All affected pools have been drained or white hacked.

All remaining pools are safe and unaffected by the bug"

Statement from CRV Discord pic.twitter.com/EvN2hXyB3E

— Spreek (@spreekaway) July 30, 2023

DeFi platforms have been affected due to the Curve Finance issue.

Many DeFi protocols also faced this issue. Alchemix announced that it lost about 5,000 ETH. According to Alchemix’s statement, alETH/ETH pools have been exploited by a hacker while queuing the transactions.

It is clear that the issues caused by Vyper are just pool issues. Therefore, these attacks will affect just pools. In addition, CRV Token price is currently 0.62 dollars.

You might like: SEC and Binance are Uniting Against Eeon’s Lawsuit Intervention.

Convex Finance has been badly affected

Convex Finance is one of the projects related to Curve. For this reason, 9.24% of the share Convex is at a loss which is worth 30%. If this price keeps going down Convex Finance might go bankrupt.

What did the Hacker do after attacking?

CRV tokens are still in the hacker’s wallet after the attack. Moreover, some CRV was swapped to WETH. Briefly, the hacker’s wallet includes assets which are worth $19M.

 Curve Finance Founder’s position might be liquidated.

The CEO sent his $300M CRV token to the AAVE platform. After that, he borrowed $60M. It is thought that the CEO bought a new house in Australia with this money. Also, If the CEO cannot pay his loan AAVE might face this kind of issue.

You may also like: What Is Smart Contract?

You can type your opinions in the comments. Follow us on Telegram and YouTube for this kind of news.

The post Curve Finance (CRV) was exploited. Hackers stole over $47M. appeared first on Coin Engineer.